#######################################################################
Luigi Auriemma
Application: Soldat
http://www.soldat.pl
Versions: game <= 1.4.2 and dedicated server <= 2.6.2
Platforms: Windows (Linux not affected)
Bugs: A] clients crash caused by too long strings on the screen
B] denial of service through file transfer port
C] easy IP banning
Exploitation: remote
A] versus clients
B] versus server (Windows only)
C] versus specific clients
Date: 23 Aug 2007
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
#######################################################################
1) Introduction
2) Bugs
3) The Code
4) Fix
#######################################################################
==============1) Introduction
==============
Soldat is a small and cool 2D multiplayer game with tons of players and
servers around the world.
#######################################################################
======2) Bugs
======
First a short introduction about the types of servers available in the
game:
- game server / non-dedicated server: a player runs Soldat.exe, starts
the server and plays in it automatically (player is both client and
server at the same time)
- game dedicated server: Soldat.exe -dedicated, as above but the player
cannot play, he will only see a graphical interface for handling the
server
- dedicated server: this is referred to the stand-alone dedicated
server (uses a version number different than the game) which is
available for both Windows and Linux and runs in console
---------------------------------------------------------
A] clients crash caused by too long strings on the screen
---------------------------------------------------------
The messages visualized on the screen of the clients can't be longer
than about 512 bytes otherwise a crash will occurr.
An attacker can exploit this problem in at least two ways:
- if the server is non-dedicated he can simply send this long string
with a line feed at the end to the file transfer port (default
23083), the server will crash immediately
- if the server is dedicated the attacker can send the long string as
an in-game chat message and any player in it will crash like in the
previous example
Doesn't seem possible to use this bug for executing malicious code.
-----------------------------------------------
B] denial of service through file transfer port
-----------------------------------------------
The file transfer port (default 23083 or client port plus 10) supports
input strings of max 16384 bytes (life feed included) and can be a
problem for both the dedicated and non-dedicated Windows server:
- the dedicated server runs in a classical console, which means that an
attacker can use some chars (like 0x07) for "beeping" and freezing
the Windows console due to the visualization of the requested map on
the screen, during the attack the players in the server cannot play
and the server is a hell of beeps and slowness
- the game dedicated server (Soldat.exe -dedicated) suffers of a
similar effect too since it will become very slow to use and to play
on it
------------------
C] easy IP banning
------------------
this is a problem affecting Soldat from long time, in fact the bug is
just in the lack of a real check on the players which join the server,
in short it's enough one single UDP packet for being inside it.
While in the past the banning happened with malformed packets (I wrote
a PoC for it), in the recent versions is possible to exploit this
problem sending multiple join packets causing a banning of 20 minutes
for the source IP address.
So if an attacker can spoof his packets he could ban one or more IP
addresses on a specific server.
In my opinion this is not a so great problem, I have reported it here
only for thoroughness.
#######################################################################
==========3) The Code
==========
http://aluigi.org/poc/soldatdos.zip
#######################################################################
=====4) Fix
=====
No fix.
I'm in contact with the developer from over two weeks but unfortunately
I'm not able to explain these bugs better than how I have done here...
#######################################################################
---
Luigi Auriemma
http://aluigi.orghttp://mirror.aluigi.org